Faculty of Computing, Engineering & Media (CEM)

Coursework Brief 2022/23

Module name: Network Forensics

Module code: CTEC3424
Title of the Assessment: Network Forensics Report
This coursework item is: (delete as appropriate) Summative
This summative coursework will be marked anonymously: Yes
The learning outcomes that are assessed by this coursework are:
1. Apply research-based approach to forensic analysis.
2. Analyse and interpret digital evidence from a variety of sources.
3. Present findings to both executive and technical audiences.
This coursework is: (delete as appropriate) Individual

This coursework constitutes 100 % of the overall module mark.

Date Set: Friday 24th February 2023
Date & Time Due (the deadline): Thursday 20th April 2023 at 12.00 noon Leicester UK time
In accordance with the University Assessment and Feedback Monday 15th May 2023
Policy, your marked coursework and feedback will be available
to you on:
You should normally receive feedback on your coursework no later than 15 University
working days after the formal hand-in date, provided that you have met the submission
deadline.
If for any reason this is not forthcoming by the due date your module leader will let you know
why and when it can be expected. The Associate Professor Student Experience
(CEMstudentexperience@dmu.ac.uk) should be informed of any issues relating to the return
of marked coursework and feedback.
When completed you are required to submit your coursework via:
1. PDF of report: electronically submitted via Turnitin on Blackboard.
If you need any support or advice on completing this coursework please visit the Student
Matters tab on the CEM Blackboard shell.
Late submission of coursework policy:
Late submissions will be processed in accordance with current University regulations.
Please check the regulations carefully to determine what late submission period is
allowed for your programme.
Academic Offences and Bad Academic Practices:
Please ensure you read the section entitled “Academic Offences and Bad Academic
Practice” in the module handbook or the relevant sections in this link: BaseCamp Link:
Overview: Assessment and Good Academic Practices

Page 1 of 10
Tasks to be undertaken:

For this assignment you will need to complete some practical tasks followed by a report based on
your practical tasks – you will need to follow the instructions carefully.
 If you are not sure what you need to do or get stuck it is YOUR responsibility to ask for
support in plenty of time before the deadline.
 As a reminder, any form of forensics will not be a quick process so you should plan your time
accordingly and commence working on the coursework ASAP.

1. Setup provided files appropriately.

2. Investigate the network provided.
3. Analyse artefacts appropriately, proving their integrity is intact.
4. Write up a technical report for non-technical executives.
5. Write up your professional recommendations for the non-technical executives.

Deliverables to be submitted for assessment:

An executive report with recommendations of 2,000 words, submitted as a PDF that uses Harvard
referencing, and uses appendices appropriately.

How the work will be marked: See attached Marking Grid

Module leader/tutor name: Sarah De’Ath
Contact details: sarah.hd@dmu.ac.uk

Should you need any further information or advice please email

cemadvicecentre@dmu.ac.uk

Page 2 of 10
 Expanded Guidance on Task to be completed:

1. You will be provided with some files to use; you will be directed to set the files up together
so that they form a working network correctly. This step is important to get right, if you
don’t follow the steps you will not be able to complete any further tasks so make sure you
check you understand what to do! Don’t forget to start your contemporaneous notes as you
will need to write about how you setup the network at the beginning of your report.

2. You will need to perform some network forensics on the network/provided files, ensuring
that you preserve the integrity of the files at all times using appropriate methods, and
prove the integrity has not been compromised when your analysis is complete. This
is an important part of the coursework and any forensic investigation so do not forget to do
this. Continue taking contemporaneous notes whilst doing each step of this.

3. Collect and preserve all artefacts you locate during your investigation using appropriate
methods.

4. Analyse all artefacts you have collected, keeping their integrity and prove it is intact.

5. Write up what you have found during your analysis. Ensuring you are writing your report
for the non-technical executives – state the technical then explain what that means in non-
technical UK English, showing you understand what you are explaining.

6. Write up your recommendations to the non-technical executives . You need to tell them
what steps to take to secure the network, mitigating any current issues (if there are any)
and to preventing further issues. Think about the language you need to use here and also
what will help them understand your recommendations so they can easily approve them.

7. In your appendices, Appendix A should be Harvard format References, you can use as
many appendices as you require, however each appendix should only contain one item
and it should be labelled clearly with what is presented in the appendix. Any screenshots
used should not be cropped and should cover as much of the page as possible (keep their
size ratio by making larger using the corners not the sides). Please use the tools within
Word to help you highlight areas you are referring to.

8. If you run in to an issue or are stuck it is your responsibility to ask for support – do this
as soon as you can to avoid further delays. You should go back over all your coursework
instructions to try and see if you can sort out the issue yourself but if you have tried and
something is still not working then you should email the module leader ASAP or attend
office hours.

Page 3 of 10
 Confidential Document
Instructions to: CTI NF Team
Distribution: CTEC3424_2023_502
Date: Friday 24th February 2023
Particulars of the case:
Lesta Recruit are a local recruitment agency, with a small number of employees operating
out of their office in the city centre.
A company director was contacted by the company’s Internet Service Provider last year,
they reported some suspicious activity. The Lesta Recruit directors are not technical and
have asked you to assist them with investigating the issues, they have been trying to get
the issues resolved for the past 12 months but they have not been able to sort it internally
so they have now decided to outsource it.
The potential issue was reported by phone to the company director, who did not really
understand what the issues was and can only remember that it might have something to
do with malware communication. The Internet Service Provider want to cut the company
off from the Internet, which would be disastrous for the company, and is of great concern
to the company directors who are very worried.
You have been contracted to the company to assist, investigate and to provide a report of
your findings with your recommendations to resolve the issue(s).
You have been granted access to their network only for the purposes of your investigation.
You have written permission to perform Network Forensics only. You are not allowed to
change the network configuration or remove any data. If your investigation leads you to
believe any other investigatory activities (such as physical or host forensics, firewall
changes or quarantining hosts) should be carried out, this should be included in your
report as recommended follow up activity.
The company does not have any regular IT staff since the last person left the role 5
months ago and is yet to be replaced. Due to the incident the company directors are about
to contract out their IT support to a local company. Your report may be passed on to allow
any necessary remediation to take place.
Some technical network documentation is available and will be provided, although it
cannot be guaranteed to be accurate or up to date. You will be provided a workstation for
your investigation; you are able to install tools as you require them.

Under the terms of your contract, you have been asked:

1. If there has been some sort of intrusion to their network.

a. How did the intrusion occur?
b. Which (if any) systems have been compromised?
c. What (if any) is the nature of that compromise?
d. Why is the ISP considering disconnecting the company from the Internet?

2. A timeline of events.

3. If it looks like there is or has been any criminal activity or UK laws have been broken,
the Lesta Recruit executives will cooperate fully with the police on the matter, so they
wish to be informed if this is the case, any proof of this activity will need to be collected
and preserved as per usual guidelines.

4. If there is anything the company can do to help prevent future issues, or any follow up
investigation activities that you would recommend.

Page 4 of 10
 CTEC3424 Network Forensics 2023 Coursework Setup

To enable your investigation, 3 virtual machines have been provided that form the network that
you are investigating. A 4th virtual machine has also been provided to act as your investigation
workstation.

Some minimal configuration is required to import the VMs, and configure networking to build your
own copy of the network.

As configured, the 4 virtual machines will need roughly 16GB of RAM, and should run fine in any
of the CTI labs.

1. Download the entire coursework folder to your P number folder on the D drive of the CTI Lab
machine you will be using, you can either copy it across from the CSC shared folder:
\\146.227.150.4\csc\CTEC3424\Coursework2023
Or you can use the link to Dropbox on Blackboard and download the file to your P number folder.

2. Open VMWare Workstation (here

I’ve used version 17 Player) when on
the home screen, select the Open a
Virtual Machine option:

You will then be presented with the

open Virtual Machine window, please
navigate to your P number folder on
the D drive where you saved the
coursework folder and locate the 1st
VM file (Router) then click Open:

Page 5 of 10
3. You will then be asked to name the VM and tell it where to store the VM files:

I suggest you call the VM the

same as the folder (in this case
1_Router), plus you should also
set the storage to your P number
folder on the D drive like I have here – I’ve created a specific folder called VMStorage to keep it
in. Make sure you set the folder to the D drive, or the C drive will run out of space.

Once you have selected the correct storage path

and added the name for this VM press Import
and the first VM will start importing:

***Do NOT boot any of the VMs until they

have ALL been imported and configured***

4. When it has finished importing and

is visible under the Home tab, you
now need to Edit the settings of
the VM to setup the network.

To do this, please click on the

Edit virtual machine settings
option:

5. When the Virtual Machine Settings

window appears, make sure you
are on the Hardware tab to
change the network adapter
settings, you will do the previous
steps for each of the 4 VMs and
you will also change the network
settings for each VM, but the
Router has 4 settings that need
changing whereas the other VMs
only have one network setting
each to change…

Page 6 of 10
 …first check the Network Adapter is set to NAT:

Next Change Network Adapter 2, 3, and 4:

To change them, you first click on the

network adapter on the left you want to
change, then on the right you select the
Custom radio button followed by the
dropdown underneath then selecting the
appropriate VMnet depending on the
adapter you are on:

So Network Adapter 2
should use VMnet2 etc.

When you’ve done all of the

network settings on the
Router, you can then click
OK and you’ll return to the
VMware Workstation
window.

***Do NOT boot any VMs Use the

up until they’ve all been same
configured*** number.

6. To import the next VM,

select the Home tab again, then
the Open virtual machine option:

7. You can then import the

2_Syslog Server, changing the
name and storage path like you
did before:

Page 7 of 10
8. For 2_Syslog Server you will need to change the Network Adapter to VMnet2:

9. Once you’ve sorted the 2_Syslog Server, move on to 3_Web Server:

10. Then finally you can import the 4_Investigator VM:

The Network Adapter for 4_Investigator needs to be on VMnet4:

You can also use VMnet4 for any other devices that need to be
connected, should you need to add any other VMs.

Page 8 of 10
 Login Details

1_Router
User: root
Password: admin9983

2_SyslogServer
User: dmu
Password: admin9983

3_Web Server
User: dmu
Password: admin9983

4_Investigator
User: dmu (will appear as ‘Investigator’ at the login screen, but the account username is dmu)
Password: admin9983

Network Map

Page 9 of 10

<40% Fail
1. A suitable report A report was attempted
has been produced but it might have not been
for the given structured appropriately.
Little or no use of
audience.
headings and sub-
headings has been made.
30 Marks Max
The writing style might
have been hard to follow
and not suitable for the
given audience in mind.
2. Digital artefacts Little demonstration of
have been preserving digital
preserved, analysed, artefacts appropriately.
and interpreted in
Little analysis has been
relation to a given made of any artefacts, so
scenario using a no interpretation has been
research-based made.
approach.
Or an analysis was
35 Marks Max attempted, and it was
completely incorrect and
had no relation to the
assignment.
There is no mention of a
timeline.
3. Specific Recommendations may
recommendations have been made but they
have been are incorrect for the given
scenario.
researched and
presented
appropriately.
35 Marks Max
CTEC3424 Coursework Marking Grid 2023
40-49% 3rd 50-59% 2:2
A report has been written
with some headings and
sub-headings.
The written style is mostly
suitable for the given
audience. It could be too
technical or not detailed
enough in places.
An appropriate technique
has been used to
preserve at least one
digital artefact.
One or more artefacts will
have been analysed
although their meaning or
significance in relation to
the investigation, might
not have been made
clear.
Some mention of a
timeline should be made
explaining how it would
support the investigation.
Recommendations to
mitigate future issues or
further investigation have
been made, but they
might be more general
rather than specific to the
given scenario.
Page 10 of 10
A structured report has
been written, with good
use of headings and sub-
headings.
The written style is
suitable for the given
audience, containing
mostly non-technical
language and provides a
suitable amount of details.
Appropriate techniques
have been used to
preserve the digital
artefacts.
Artefacts will have been
analysed and their
meaning and significance
in relation to the
investigation will have
been discussed fairly well.
A timeline has been
created and it has been
used to help analyse the
artefacts.
Some recommendations
have been made to
mitigate issues or for
follow up activities, that
are suitable for the given
audience and scenario.
60-69% 2:1
A well-structured report
has been written, with
good use of headings and
sub-headings.
The written style is very
suitable for the given
audience, and provides
detail but explains things
well in non-technical
language.
Appropriate techniques
have been used to
preserve and prove the
artefacts have not been
modified.
Artefacts will have been
well analysed and their
meaning and significance
in relation to the
investigation will have
been discussed very well.
A timeline has been
created and it has been
used well to help analyse
the artefacts.
Some good
recommendations have
been made to mitigate
issues or for follow up
activities, that are specific
for the given audience
and scenario.
70%+ 1st
A very well-structured
report has been written,
with excellent use of
headings and sub-
headings.
The written style is
extremely suitable for the
given audience and
provides excellent detail
whilst explaining things in
non-technical language.
Appropriate techniques
have been used to
preserve and prove the
artefacts have not been
modified.
Artefacts will have been
analysed and their
meaning and significance
in relation to the
investigation, has been
discussed extremely well.
A timeline has been
created and it has been
used very well to help
analyse the artefacts.
Some excellent
recommendations have
been made to mitigate
issues and for follow up
activities, that are very
specific for the given
audience and scenario.